Cybersecurity researchers have recently revealed the existence of a significant security vulnerability in Phoenix SecureCore UEFI firmware, which affects various Intel Core processors used in both desktop and mobile devices. This flaw, identified as CVE-2024-0762 and assessed with a CVSS score of 7.5, has been characterized as a buffer overflow issue resulting from the improper use of a variable within the Trusted Platform Module (TPM) configuration. This vulnerability enables local attackers to escalate their privileges, potentially executing malicious code within the UEFI firmware during runtime.
Eclypsium, a supply chain security firm, reported that the exploitation of this vulnerability resembles tactics employed in recent firmware backdoors, exemplifying the increasing sophistication of attacks on low-level firmware. Such vulnerabilities represent a growing concern, as they can permit attackers to maintain persistent access to devices while evading traditional security measures operating at higher system layers.
Following the responsible disclosure of this issue, Phoenix Technologies issued a patch in April 2024, and Lenovo has distributed updates addressing the flaw in various affected devices. This vulnerability is notably critical as it impacts devices utilizing Phoenix SecureCore firmware across several Intel processor families, including but not limited to Alder Lake, Coffee Lake, and Tiger Lake architectures.
The UEFI firmware serves as a pivotal component in modern computing, acting as the first code executed with the highest privileges at system startup. This crucial function has made UEFI a prime target for threat actors seeking to deploy bootkits or firmware implants capable of undermining system security. Given the scope of firmware integration in numerous devices, vulnerabilities like this could introduce severe supply chain risks affecting multiple manufacturers and products simultaneously.
Recent developments also highlight a previously disclosed unpatched buffer overflow vulnerability found in HP’s UEFI implementation, affecting the ProBook 11 EE G1 model, which reached its end-of-life status in September 2020. Additionally, an emerging software attack known as TPM GPIO Reset raises further concerns regarding the potential for compromised access to sensitive information stored on disk or the circumvention of critical security measures enforced by the TPM.
In light of these findings, businesses should be aware of the risk landscape associated with their technology infrastructures, particularly as vulnerabilities at the firmware level can have far-reaching implications. The tactics associated with this type of exploitation align with the MITRE ATT&CK framework, suggesting methods such as privilege escalation and initial access via exploitation of known vulnerabilities. Corporate stakeholders must remain vigilant and proactive in mitigating the risks posed by such vulnerabilities to ensure robust cybersecurity postures.
